Jon Karl Miyake
miyake at darkwing.uoregon.edu
Mon Aug 18 19:05:15 GMT 2003
I'm going to give you all the information in brief that I have on hand
regarding the compromised machines that we have ran across due to the RPC
exploit. It is getting difficult to mentally separate out the different
dropkits that we have seen on infected machines over the last two-three
weeks. If you have seen any differences on your network or want more
information on any thing that has been glossed over please feel free to
ship me a note.
On the machines announcing "rpcwhore" on campus we have noticed the
following ports open.
Port 48522/tcp will often have a ftp banner.
220 Welcome To The Consultant's Ftp.
220-welcome to the consultant.
Compromised machine announcing "rpcwhore" may not have a ftp daemon
running. I've come across a few machines that only had 6351/tcp open.
There was a brief posting to the EDUCAUSE security listserv concerning
this type of colonization and some of the ports to look for on a
Some of the machine we have come across have files in one or all of the
following directories. Please note that these locations may or may not
normally exist on a system or have files in them.
Part of the problem that we have come across is that machines may been
compromised by more than on group/individual. As such you may find
several different types of dropkits on a single machine when you go to
clean it up.
You may find one or more of following programs actively ...
FireDaemon.exe, aysshell.exe, winmgnt.exe, csrss.exe
It is important to note that crss.exe is commonly found on Win2k and WinXP
system. The fact that this is running does not necessarily mean you have
a compromised machine. If you see two instances of this running it is
likely that the machine is compromised (please correct me if I'm
Symantec has write-up that is similiar to what we have seen.
As with all things your mileage may vary. But hopefully this information
gives you a starting point.
User Services and
voice #: (541) 346-1635
Computing Center Room 225
University of Oregon
On Mon, 18 Aug 2003, Steve Bernard wrote:
> We are finding a lot of Microsoft boxes which are trying to join the IRC
> channel #rpcwhore, but that show no other outward signs of compromise or
> vulnerability. So far, all connection attempts have been to either
> 126.96.36.199 or 188.8.131.52. I can't find any mention of "rpcwhore" via
> Google, Yahoo, etc.. Given that these boxes aren't being used for warez or
> the like I am assuming that they are DDoS agents. I haven't gotten a box to
> analyze yet. Has anyone else seen this before?
> Steve Bernard
> Sr. Systems Engineer, NET
> George Mason University
> Fairfax, Virginia
More information about the unisog